firebase
diff --git a/‎auth/auth.go
Lines changed: 48 additions & 36 deletions b/‎auth/auth.go
Lines changed: 48 additions & 36 deletions
diff --git a/‎auth/auth_appengine.go
Lines changed: 40 additions & 0 deletions b/‎auth/auth_appengine.go
Lines changed: 40 additions & 0 deletions
diff --git a/‎auth/auth_std.go
Lines changed: 23 additions & 0 deletions b/‎auth/auth_std.go
Lines changed: 23 additions & 0 deletions
@@ -16,15 +16,14 @@
 package auth
 
 import (
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"strings"
 
-	"crypto/rsa"
-	"crypto/x509"
-
 	"firebase.google.com/go/internal"
 )
 
@@ -62,45 +61,60 @@ type Token struct {
 type Client struct {
 	ks        keySource
 	projectID string
-	email     string
-	pk        *rsa.PrivateKey
+	snr       signer
+}
+
+type signer interface {
+	Email() (string, error)
+	Sign(b []byte) ([]byte, error)
 }
 
 // NewClient creates a new instance of the Firebase Auth Client.
 //
 // This function can only be invoked from within the SDK. Client applications should access the
 // the Auth service through firebase.App.
 func NewClient(c *internal.AuthConfig) (*Client, error) {
+	var (
+		err   error
+		email string
+		pk    *rsa.PrivateKey
+	)
+	if c.Creds != nil && len(c.Creds.JSON) > 0 {
+		var svcAcct struct {
+			ClientEmail string `json:"client_email"`
+			PrivateKey  string `json:"private_key"`
+		}
+		if err := json.Unmarshal(c.Creds.JSON, &svcAcct); err != nil {
+			return nil, err
+		}
+		if svcAcct.PrivateKey != "" {
+			pk, err = parseKey(svcAcct.PrivateKey)
+			if err != nil {
+				return nil, err
+			}
+		}
+		email = svcAcct.ClientEmail
+	}
+	var snr signer
+	if email != "" && pk != nil {
+		snr = serviceAcctSigner{email: email, pk: pk}
+	} else {
+		snr, err = newSigner(c.Ctx)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	ks, err := newHTTPKeySource(c.Ctx, googleCertURL, c.Opts...)
 	if err != nil {
 		return nil, err
 	}
 
-	client := &Client{
+	return &Client{
 		ks:        ks,
 		projectID: c.ProjectID,
-	}
-	if c.Creds == nil || len(c.Creds.JSON) == 0 {
-		return client, nil
-	}
-
-	var svcAcct struct {
-		ClientEmail string `json:"client_email"`
-		PrivateKey  string `json:"private_key"`
-	}
-	if err := json.Unmarshal(c.Creds.JSON, &svcAcct); err != nil {
-		return nil, err
-	}
-
-	if svcAcct.PrivateKey != "" {
-		pk, err := parseKey(svcAcct.PrivateKey)
-		if err != nil {
-			return nil, err
-		}
-		client.pk = pk
-	}
-	client.email = svcAcct.ClientEmail
-	return client, nil
+		snr:       snr,
+	}, nil
 }
 
 // CustomToken creates a signed custom authentication token with the specified user ID. The resulting
@@ -114,11 +128,9 @@ func (c *Client) CustomToken(uid string) (string, error) {
 // CustomTokenWithClaims is similar to CustomToken, but in addition to the user ID, it also encodes
 // all the key-value pairs in the provided map as claims in the resulting JWT.
 func (c *Client) CustomTokenWithClaims(uid string, devClaims map[string]interface{}) (string, error) {
-	if c.email == "" {
-		return "", errors.New("service account email not available")
-	}
-	if c.pk == nil {
-		return "", errors.New("private key not available")
+	iss, err := c.snr.Email()
+	if err != nil {
+		return "", err
 	}
 
 	if len(uid) == 0 || len(uid) > 128 {
@@ -139,15 +151,15 @@ func (c *Client) CustomTokenWithClaims(uid string, devClaims map[string]interfac
 
 	now := clk.Now().Unix()
 	payload := &customToken{
-		Iss:    c.email,
-		Sub:    c.email,
+		Iss:    iss,
+		Sub:    iss,
 		Aud:    firebaseAudience,
 		UID:    uid,
 		Iat:    now,
 		Exp:    now + tokenExpSeconds,
 		Claims: devClaims,
 	}
-	return encodeToken(defaultHeader(), payload, c.pk)
+	return encodeToken(c.snr, defaultHeader(), payload)
 }
 
 // VerifyIDToken verifies the signature	and payload of the provided ID token.
 
@@ -0,0 +1,40 @@
+// +build appengine
+
+// Copyright 2017 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import (
+	"golang.org/x/net/context"
+
+	"google.golang.org/appengine"
+)
+
+type aeSigner struct {
+	ctx context.Context
+}
+
+func newSigner(ctx context.Context) (signer, error) {
+	return aeSigner{ctx}, nil
+}
+
+func (s aeSigner) Email() (string, error) {
+	return appengine.ServiceAccount(s.ctx)
+}
+
+func (s aeSigner) Sign(ss []byte) ([]byte, error) {
+	_, sig, err := appengine.SignBytes(s.ctx, ss)
+	return sig, err
+}
@@ -0,0 +1,23 @@
+// +build !appengine
+
+// Copyright 2017 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import "context"
+
+func newSigner(ctx context.Context) (signer, error) {
+	return serviceAcctSigner{}, nil
+}